Important information for all Joomla website owners! On July 7, 2026, JoomShaper developers released an update for the popular Helix Ultimate template (version 2.2.7), which addresses a range of critical vulnerabilities. These include Open Redirect, Cross-Site Request Forgery (CSRF), Cross-Site Scripting (XSS), and unauthorized modification of site settings.

This update is mandatory for all sites using this template.

Please note!
If you are using the Helix Ultimate template, updating it will automatically update the Helix Ultimate Framework (plugin). If you are using a different template that relies on the same framework, updating only the Helix Ultimate Framework plugin is sufficient.

Understanding the Threat: what Was Fixed?

Analysis of the changes in version 2.2.7 shows that developers addressed several serious security issues that could have allowed attackers to compromise your site.

Key vulnerabilities fixed:

  1. Open Redirect: Fixed a vulnerability that allowed redirecting site visitors to external, potentially dangerous resources, which could be used for phishing attacks.

  2. Missing CSRF Tokens and Permission Validation (CWE-862): Added mandatory CSRF token validation and user permission checks for all AJAX actions in Helix Ultimate. Previously, an attacker could trick an authenticated administrator into performing unwanted actions (e.g., changing settings) without their knowledge.

  3. XSS Vulnerabilities (CWE-79): Fixed multiple issues with malicious JavaScript injection through media embeds, galleries, Mega Menu, Layout Builder, and font settings.

  4. File Upload Issues: Strengthened file upload validation — the media manager now only allows specific image types, and SVG and ICO file uploads are blocked.

  5. Path Traversal: Fixed path validation logic in media, layout, and blog operations, preventing reading or writing files outside of allowed directories.

  6. Unauthorized Export and Deletion: Added missing permission checks for blog image deletion and template settings export.

Who Is at Risk?

All sites using Helix Ultimate template versions below 2.2.7 are at risk.

Please note
Previous articles addressed vulnerabilities in the Helix 3 framework. Helix Ultimate is a separate product, and this vulnerability specifically affects it. If you are using older templates based on Helix 3, you need to update them according to the previous instructions.

How to Fix It: step-by-Step Instructions

To address these vulnerabilities, follow the steps below.

Step 1: update Helix Ultimate Immediately

  1. Go to your Joomla administrator panel and navigate to Extensions → Manage → Update.

  2. Click "Purge Cache" and then "Find Updates".

  3. Locate the update for the Helix Ultimate template in the list.

  4. Update to version 2.2.7 or higher.

If the update does not appear:
Download the latest version manually from the official developer website JoomShaper and install it via Extensions → Manage → Install.

Step 2: check for Signs of Compromise

Since there were multiple vulnerabilities affecting various aspects, conduct a thorough site inspection even if you have already updated.

  1. Check the /images folder: Using FTP or your hosting File Manager, review the images and media folders. Delete any suspicious files, especially with extensions like .php, .phtml, .svg, .ico, that may have been uploaded before the update.

  2. Check template settings: Go to Template Styles → Helix Ultimate → Advanced. Verify that settings have not been changed without your knowledge, particularly in the "Custom Code" and "SEO" sections.

  3. Check override files: Review the /templates/shaper_helixultimate/html folder for suspicious changes, especially html5.php, as XSS vulnerabilities have been found there in the past.

Step 3: additional Security Measures

In addition to updating the template, we strongly recommend:

  • Update the Joomla core to the latest version.

  • Install and configure Admin Tools Pro: Generate a strict .htaccess file, enable PHP script execution blocking in the /images and /media folders, and activate CSRF protection.

  • Enable two-factor authentication for all accounts with administrator and editor privileges.

  • Regularly create backups of your site to enable quick recovery in case of an incident.

Important!
If your site has been hacked and you are unsure what to do, or have any doubts, contact us immediately for assistance!